controlling information system
TRANSCRIPT
Controlling Information
Systems: Introduction to
Internal Control
2
Why do we need controls?
• (1) to provide reasonable assurance that the goals of each business process are being achieved
• (2) to mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts)
• (3) to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.
3
Common Business Exposures1. Erroneous recordkeeping2. Unacceptable accounting3. Business interruption4. Erroneous management decisions5. Fraud and embezzlement6. Statutory sanctions7. Excessive costs8. Loss or destruction of resources9. Competitive disadvantage
4
Five Interrelated Components of Internal Control
1. Control environment- tone at the top2. Risk assessment - identification/analysis of risks3. Control activities - policies and procedures4. Information & communication - processing of
info in a form and time frame to enable people to do their jobs
5. Monitoring - process that assess quality of internal control over time
5
Gelinas, Sutton & Hunton’s Working Definition of IC: Key Points
• A system of internal control is not an end in itself. Rather, it is a means to an end—the end of attaining process objectives
• Internal control itself is a system. Therefore, like any system it must – (1) have clearly defined goals and – (2) consist of interrelated components that act in concert to achieve those
goals.– We can also say that internal control is a process
• Establishing a viable internal control system is management’s responsibility.
• The strength of any internal control system is largely a function of the people who operate it.
• Internal control cannot be expected to provide absolute, 100% assurance that the organization will reach its objectives. Rather, the operative phrase is that it should provide reasonable assurance
• Internal control is not free; controls should be built in and cost effective
6
Gelinas, Sutton & Hunton’s Working Definition of IC
• …a system of integrated elements - people, structure, processes, and procedures - acting in concert to provide reasonable assurance that an organization achieves business process goals. The design and operation of the internal control system is the responsibility of top management and therefore should:
7
(Text definition of IC cont.)
• Reflect management’s careful assessment of risks.
• Be based on management’s evaluation of costs versus benefits.
• Be built on management’s strong sense of business ethics and personal integrity.
8
General Control Model: Figure 7.1
9
Business Process Control Goals
• Control Goals - ends to be obtained– Control goals of operations processes– Control goals of information processes– See Table 7.1 Control Goals (page 244)
10
Control Goals of the Operations Process
• Ensure effectiveness of operations• Ensure efficient employment of
resources• Ensure security of resources
11
Control Goals of Operations Process• Ensure effectiveness of operations
– A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes
– Ex. Deposit cash receipts on the day received
• Ensure efficient employment of resources– A measure of the productivity of the resources applied to achieve a
set of goals– Ex. What is the cost of people, computers, and other resources to
deposit cash on the day received
• Ensure security of resources– Protecting an organization’s resources from loss, destruction,
disclosure, copying, sale, or other misuse– Ex. Are cash and information resources available when required?– Are they put to authorized use?
12
Control Goals of the Information Process
• For business event inputs, ensure–Input validity–Input completeness–Input accuracy
• For master data, ensure–update completeness–update accuracy
13
Control Goals of Information Process• Input validity
– Input data approved and represent actual economic events and objects– Ex. Are all cash receipts input into the process and supported by
customer payments• Input completeness
– Requires that all valid events or objects be captured and entered into the system
– Ex. Are all valid customer payment captured on a customer remittance advice (RA) and entered into the process? Input accuracy (correct data entered correctly)
• Input Accuracy– Requires that events be correctly captured and entered into the system– Ex. Is correct payment amount and customer number on the RA? – Ex. Is the correct payment amount and customer number keyed into
the system?
14
Control Goals of Information Process
• Update completeness– Requires all events entered into the computer are reflected in their
respective master data– Ex. Are all input cash receipts recorded in the AR master data?
• Update accuracy– Requires that data entered into a computer are reflected correctly in
their respective master data– Ex. Are all input cash receipts correctly recorded in the AR master
data?
15
Business Process Control Plans• Business Process Control Plans - reflect information
processing policies and procedures that assist in accomplishing control goals– The Control Environment The fact that the control environment
appears at the top of the hierarchy illustrates that the control environment comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans.
– Pervasive control plans also relate to a multitude of goals and processes
• Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate.
• They are broad in scope and apply equally to all business processes, hence they pervade all systems.
– Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process the data.
16
17
Other Classifications of Control Plans• Preventive Controls: Issue is prevented
from occurring – cash receipts are immediately deposited to avoid loss
• Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation
• Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data
18
The Control Matrix
• The control matrix is a tool designed to assist you in analyzing a systems flowchart and related narrative.
• It establishes the criteria to be used in evaluating the controls in a particular business process.
19
Sample Control Matrix
20
Steps in Preparing Control MatrixI. Specifying control goals represents
the first step in building a control matrix. The goals are listed across the top row of the matrix.
1. Identify the operations process goalsa. Effectiveness goalsb. Efficiency goalsc. Security goals
2. Identify Information Process Goalsa. Input Goalsb. Update Goals
21
Operations Process Goals: Effectiveness Goals
i. Ensure the successful accomplishment of the goals set forth for the business process
ii. Different processes have different effectiveness goals. For Causeway’s cash receipts process we include only two examples here:
– Goal A—to accelerate cash flow by promptly depositing cash receipts.– Goal B—to ensure compliance with compensating balance agreements
with the depository bank.– Other possible goals of a cash receipts would be shown as goals C, D,
and so forth, and described at the bottom of the matrix (in the matrix legend).
iii. With respect to other business processes, such as production, we might be concerned with effectiveness goals related to the following:
– Goal A—to maintain customer satisfaction by finishing production orders on time.
– Goal B—to increase market share by ensuring the highest quality of finished goods.
22
Operations Process Goals: Efficiency Goals
i. The purpose of efficiency control goals of the operations process is to ensure that all resources used throughout the business process are being employed in the most productive manner
ii. In parentheses, notice that we have listed two resources of the cash receipts process for which efficiency is applicable—people and computers.
• In fact, people and computers would always be considered in the efficiency assessments related to accounting information systems.
iii. In other business processes, such as receiving goods and supplies, we might also be concerned with the productive use of equipment such as trucks, forklifts, and hand-held scanners.
23
Operations Process Goals: Security Goals
i. The purpose of security control goals of the operations process is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse.
ii. In parentheses, we have included two resources of the cash receipts process over which security must be ensured—cash and information (accounts receivable master data). • With any business process, we are concerned with information that is
added, changed, or deleted as a result of executing the process, as well as assets that are brought into or taken out of the organization as a result of the process, such as cash, inventory, and fixed assets.
iii. With regard to other business processes, such as shipping, we might include customer master data and shipping data. • Note: The security over hard assets used to execute business
processes, such as computer equipment, trucks, trailers, and loading docks, is handled through pervasive controls (discussed in Chapter 7).
24
Information Process Goals: Input Goalsi. With respect to all business process data entering the
system, the purpose of input goals of the information process is to ensure:
• input validity (IV)• input completeness (IC) and • input accuracy (IA).
ii. With the cash receipts process, we are concerned with input validity, accuracy, and completeness over cash receipts
• Here, they are in the form of remittance advices• Notice that we specifically name the input data of concern in
parentheses.iii. With respect to other business processes, such as hiring
employees, we would be concerned with other inputs, such as employee, payroll, and benefit plan data.
25
Information Process Goals: Update Goalsi. Update goals must consider all related information that will
be affected by the input data, including master file data and ledger data. For the business process input data, the purpose of update control goals of the information process is to ensure:• The update completeness (UC) and • Update accuracy (UA)
ii. With regard to the cash receipts information process, we recognize that the accounts receivable data will be updated by cash receipts • Cash received reflects the debit and customer account reflects the
credit). • Notice that we list accounts receivable master data in the control
matrix.iii. Other business processes, such as cash payments, would
involve different update concerns, such as vendor, payroll, or accounts payable master data.
26
Steps in Preparing the Control Matrix
II. Recommending Control Plans1. Annotating “Present” Control Plans2. Evaluating “Present” Control Plans3. Identifying and Evaluating “Missing”
Control Plans
27
Causeway Annotated Systems Flowchart
28
Annotating Present Control Plans
• Start on the upper left-hand column of the systems flowchart and spot the first manual keying symbol, manual process symbol, or computer process symbol (process related symbols)
• Then, follow the sequential logic of the systems flowchart and identify all of the process-related symbols.
• Each process-related symbol reflects an internal control plan which is already present.
• It is important to recognize that while a control plan may be present, it may not be working as effectively as it should; thus, you might recommend ways to strengthen or augment existing control plans
29
Annotate the Process Flow Chart
• Review the flowchart and determine whether a control is present (P-) or missing (M-)
• Annotate the flowchart– If controls are present, mark P-– If controls are absent, mark M-
30
Annotating Present Control Plans
a. Reviewing the Causeway systems flowchart (Figure 9.2), you will find that the first process-related symbol is entitled “Endorse checks.” – Because this process appears on the flowchart, this
control plan already exists, meaning, it is present as opposed to missing.
– Accordingly, place a P- beside the process, indicating that is it present, and a 1 beside the P- reflecting the first present control plan on the flowchart.
– As a result, you should have annotated the systems flowchart with a P-1.
31
Annotating Present Control Plansb. Continue reviewing the systems
flowchart by following its sequential logic, annotating the flowchart with P-2, P-3, and so on until you have accounted for all present control plans.
- Notice on the Flowchart (Figure 9-2), that eight control plans (P-1–P-8) are already present at Causeway.
32
Evaluating “Present” Control Plans:• Write number (P-1, P-2, P-3 through P-n) and name of
each control plan in the left-hand column of the control matrix.
• Then, starting with P-1, look across the row and determine which control goals the plan addresses and place a P-1 in each cell of the matrix for which P-1 is applicable.
• It is possible that a given control plan can attend to more than one control goal.
• Continue this procedure for each of the present control plans.
• Simultaneously, in the legend of the matrix, describe how the control plan addresses each noted control goal.
33
Identifying and Evaluating “Missing” Control Plans:
• The next step in recommending control plans is to determine if additional controls are needed to address missing control goal areas, strengthen present control plans, or both.
34
Identifying and Evaluating “Missing” Control Plans:
• Examining the controls matrix: The first place to start is to look at the control matrix and see if there are any control goals (operations or information) for which no present control plan is addressing.
• If so, you need to do the following:i. In the left-hand column of the matrix, number the first missing control plan
as M-1 and label or title the plan.ii. Across the matrix row, place M-1 in each cell for which the missing control
is designed.iii. In the legend of the matrix, explain how the missing control will address
each noted control goal.iv. On the systems flowchart, annotate M-1 where the control should be
inserted.v. If there are still control goals for which no control plan has addressed,
develop another plan (M-2) and repeat the four previous steps (i through iv). Continue this procedure until each control goal on the matrix is addressed by at least one control plan.
• With regard to Causeway, we have noted two missing control plans in the sample control matrix for the Cash Receipts Business Process
• M-1 and M-2, although more might exist
35
Evaluating the systems flowchart: • Even though all of the control goals on the matrix are now
addressed, closely review the systems flowchart one more time.
• Look for areas where further controls are needed. • Just because all control goals on the matrix have one or
more associated control plans, we might have to to add more control plans or strengthen existing plans to reduce residual risk to an acceptable level in certain areas.
• It takes training and experience to spot risks and weaknesses of this nature
• In Chapters 10 through 16 you will learn more about how to make such critical internal control assessments.
36
Sample Control Plans for Data Input
1. Processing input data without access to master data
2. Processing input data with access to master data
3. Batch input
37
Processing input data without access to master data
• Because systems without master data require manual keying of data (an error prone process), special controls are necessary to ensure control goals are met– Entry w/o master data implies that a database
does not exist or is unavailable to verify data– This makes controls over entry of data more
important
38
Data Entry
Without Master Data
39
Available Control Plans for Data Input
• Note that the first process-related symbol appears as “key document” in the first column (data entry clerk 1).– P-1: Document Design—source document is
designed to easily complete and key data– P-2: Written Approvals—signature or initials
indicating approval of event processing– P-3: Preformatted Screens—defines acceptable
format for each data field (e.g., 9 numeric characters for SSN)
– P-4: Online Prompting—requests user input or asks questions, e.g., message box
40
Available Control Plans for Data Input, Cont’d.
• The next process-related symbol (edit input) appears in the second column (data entry devices).
• P-5: Programmed Edit Checks – Automatically performed by data entry programs upon
entry of data• Reasonableness checks (limit checks)—tests input for values
within predetermined limits• Document/record hash totals—compares computer total to
manually calculated total• Mathematical accuracy checks—compare calculations
performed manually to computer calculations, e.g., compare invoice total to manually entered to computer calculated total
• Check Digit verification – a functionally dependent extra digit is appended to a number; if miskeying occurs, a check digit mismatch occurs and the system rejects the input
41
Available Control Plans for Data Input• P-6: Procedures for rejected input—rejected inputs
are corrected and resubmitted for processing• P-7: Keying corrections—clerk corrects inputs• P-8: Interactive feedback checks—computer
informs clerk that input has been accepted/rejected• P-9: Record input—record is recorded in
transaction data rather than being re-keyed at another time
• M-1: Key verification—data is keyed by two different individuals then compared by the computer
42
Control Matrix w/o
Master Data
43
Control Plans for Data Entry With Master Data
• When standing (master) data is present, data entered can be verified by existing data providing additional data-entry controls– Data entry with master data implies the presence of an existing
database populated with data– Data in the database is used to populate entry forms or is compared
to data entered• If we have available the actual customer master data, we
can use the customer number to call up the stored customer master data and determine if the customer number has been entered correctly, if the customer exists, the customer’s correct address, and so forth.
• In the next section we describe the additional controls available to us when master data is available during data entry.
44
Systems Flowchart: Data Entry With Master Data
45
Control Matrix Data Entry with
Master Data
46
Recommended Control Plans with Master Data
• P-1: Enter data close to originating source– Input data is entered directly and immediately it reduces
input costs, inputs are less likely to be lost, errors are less likely and can more easily corrected
– Online transaction entry (OLTE), online real-time processing (OLRT), and online transaction processing (OLTP) are all examples of this processing strategy.
• P-2: Digital signatures– Authenticate that the sender of the message has the
authority to send it and detects messages that have been altered in transit
– an application of public key cryptography involving the use of a private encryption key to “sign” the data transmitted
47
Recommended Control Plans with Master Data
• P-3: Populate input with master data– User enters an entity’s ID code and the system then
retrieves certain data about that entity from existing master data.
– User might be prompted to enter the customer ID (code). – By accessing the customer master data, the system
automatically provides data such as the customer’s name and address, the salesperson’s name, and the sales terms.
– This reduces the number of keystrokes required, making data entry quicker, more accurate, and more efficient.
– Therefore, the system automatically populates input fields with existing data
48
Recommended Control Plans with Master Data• P-4: Compare input data with master data—the system compares inputs with
standing (master) data to ensure their accuracy and validity– Input/master data dependency checks
• These edits test whether the contents of two or more data elements or fields on an event description bear the correct logical relationship.
• For example, input sales events can be tested to determine whether the salesperson works in the customer’s territory.
• If these two items don’t match, there is some evidence that the customer number or the salesperson identification was input erroneously.
– Input/master data validity and accuracy checks• These edits test whether master• data supports the validity and accuracy of the input. For example, this
edit• might prevent the input of a shipment when no record of a
corresponding customer• order exists. If no match is made, we may have input some data
incorrectly,• or the shipment might simply be invalid. We might also compare
elements• within the input and master data.
49
Recommended Control Plans with Master Data
• P-5: Procedures for rejected inputs– After processing the input, the user compares the input with the master data
to determine whether the input either is acceptable or contains errors, and that any errors are corrected and resubmitted
• P-6: Key Corrections – The clerk completes the procedures for rejected inputs by keying the
corrections into the computer thus ensuring that the input is accurate.• P-7: Record Input
– Once all necessary corrections are made, the user accepts the input.– This action triggers the computer to simultaneously record the input in the
transaction file and inform the user that the input data has been accepted.• P-8: Interactive Feedback Checks
– These interactive programmed features inform the user that the input has been accepted and recorded or rejected for processing.